Security Vulnerability in Google Cloud Build Allows Unauthorized Access and Manipulation

A Newly Discovered Vulnerability in Google Cloud Build Raises Supply Chain Security Concerns

The Bad.Build Issue

Researchers at Orca Security recently uncovered a vulnerability in Google Cloud Build, a service that enables users to build, test, and deploy applications on the Google Cloud Platform. The vulnerability, dubbed Bad.Build, allows attackers to tamper with and inject malware into images stored in Artifact Registry, Google’s repository for hosting software artifacts. This poses a significant supply chain risk as any applications utilizing compromised container images may be vulnerable to malware infections, denial-of-service attacks, data theft, and other harmful consequences.

Google was notified about the issue by Orca Security, and a fix was issued in June. However, Orca has described the fix as inadequate, only partially addressing the vulnerability. Roi Nisimi, a cloud threat researcher at Orca, emphasized the severity of the flaw and its potential consequences, drawing parallels to recent supply chain attacks like SolarWinds, 3CX, and MOVEit. The Bad.Build flaw is fundamentally a design issue related to default permissions associated with Google Cloud Build, giving adversaries an easier route to access audit logs containing a comprehensive list of permissions linked to all Google Cloud Platform (GCP) accounts within a specific project.

The Exploitation and Fix

Orca’s research determined that with the cloudbuild.builds.create permission, an attacker could impersonate the Cloud Build Service account and view all project permissions. By creating a new build and executing a few lines of code, an attacker can escalate privileges and perform actions allowed by the Cloud Build Service Account, including manipulating images and injecting malicious code.

Google’s initial fix involved removing the logging permission from the default Google Cloud Build service role, thereby restricting access to audit logs. However, Orca highlighted that other roles with the cloudbuild.builds.create permission can still exploit the vulnerability unless organizations specifically revoke the default permissions of Google Cloud Build. The company’s stance appears to put the burden on customers to limit permissions and lock down access further, recognizing the need to reduce supply chain attack risks.

Supply Chain Risks and the Responsibility of Organizations

Google acknowledges the potential supply chain attack risks associated with Bad.Build but asserts that they stem from organizations choosing to enable default permissions that support common development workflows. While Google has taken measures to mitigate the issue, such as revoking certain permissions from the Cloud Build service account, they place the onus on customers to limit the cloudbuild.builds.create permission to minimize the risk of supply chain attacks.

Editorial: Addressing Vulnerabilities in Cloud Services

The Bad.Build vulnerability exposes the persistent challenge of securing cloud services and the supply chain, which has become a primary target for attackers. The incident underscores the importance of adopting a proactive and multi-layered security approach in cloud environments. While Google’s response to the vulnerability indicates a commitment to addressing the issue, it raises broader questions about the responsibilities of cloud service providers and organizations in securing their infrastructure.

Cloud service providers bear a significant responsibility in ensuring the security of their platforms and must continuously invest in robust security measures to protect their customers. A vulnerability like Bad.Build not only affects Google Cloud Build users but also has broader implications for the security and trustworthiness of the entire Google Cloud Platform ecosystem. As cloud services become increasingly critical to businesses and individuals, the stakes for securing them grow higher.

Organizations, on the other hand, must actively assess the security implications of relying on cloud services and consider the potential risks associated with default permissions and configurations. Limiting permissions and implementing the principle of least privilege should be a standard practice to minimize the attack surface. Collaboration between cloud service providers and customers is necessary to ensure a secure environment that protects against emerging threats.

Advice: Best Practices for Securing Cloud Services

To mitigate the risk of supply chain attacks and vulnerabilities like Bad.Build, organizations using cloud services should consider implementing the following best practices:

1. Regularly Assess and Review Permissions

Regularly review and evaluate the permissions associated with cloud services like Google Cloud Build. Remove unnecessary permissions and restrict access to critical resources to minimize potential points of vulnerability.

2. Follow the Principle of Least Privilege

Abide by the principle of least privilege when granting permissions. Only provide users and services with the precise permissions they require for their designated tasks, avoiding excessive privileges that could be exploited by attackers.

3. Implement Secure Development and Deployment Practices

Adopt secure development practices, including conducting code reviews, using secure coding frameworks, and leveraging reputable repositories. Follow secure deployment practices, such as scanning container images for vulnerabilities and regularly updating software and dependencies.

4. Continuous Monitoring and Threat Detection

Implement robust monitoring systems to detect unusual activities, unauthorized access attempts, and potential indicators of compromise. This includes leveraging network intrusion detection systems, file integrity monitoring, and employing data analytics for anomaly detection.

5. Enable Multi-Factor Authentication

Require the use of multi-factor authentication for all accounts accessing cloud services. This adds an additional layer of security and helps prevent unauthorized access, even in the case of credential compromise.

By adhering to these best practices, organizations can enhance the security of their cloud environments and better protect against emerging vulnerabilities and supply chain risks. It is vital to remain vigilant, regularly assess security measures, and stay informed of potential threats and mitigation strategies.